Apple always took a firm stance on user security and reliability when it comes
to their iPhone series. The iOS operating system is known as one of the most
secure operating systems in the market. However, 2 major vulnerabilities have
been recently discovered that have existed for years and are actively being exploited in the wild.
Researchers at security firm ZecOps were conducting a routine Digital Forensics
and Incident Response (DFIR) investigation when they ran into some abnormalities with some iPhones. This led to the discovery of 2 vulnerabilities in the default Apple Mail app – an out-of-bounds write and a heap-overflow. These vulnerabilities can lead to remote code execution and total takeover of the device.
The alarming part is how long these vulnerabilities have been around – researchers say they have existed at least since iOS 6, which was released in September of 2012.
The first attacks in the wild that they could find were from January 2018; that’s over 2 years of exploitation. Some suspected targets include
Managed Security Service Providers from the Middle East, journalists in Europe,
corporate executives from Japan and Sweden, as well as individuals at a Fortune 500 organization in North America.
The 2 vulnerabilities stem from a common issue: how the application handles
return values from system calls. The vulnerability can be exploited by sending a
large e-mail, or at least one large enough to consume enough RAM to cause the
overflow and bounds issues. In iOS 13, the exploit can work even without user
interaction, while in iOS 12 the user has to click on the e-mail, but the attack
can take place before the content is rendered. Users may notice a slight delay in
the mail app on iOS 13 for a short time, but other than that there is no other
noticeable abnormal behavior. In iOS 12, the exploit has been known to cause
the mail app to occasionally crash. Part of the attacker’s routine is to remove
the e-mail from the victim’s phone, showing operational security awareness in
cleaning their tracks.
Apple has released a publicly-available beta of version 13.4.5 with a fix for both
vulnerabilities, but the patch has not made it to stable release yet. Until that
happens, it is recommended to disable the Apple Mail app and switch to Outlook or Gmail if updating to the beta isn’t possible. Also, make sure to log out of
the Apple Mail app as well.